ComboFix 10-07-29.04 - Marc Lebesque 07/30/2010 21:21:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.767.341 [GMT -4:00]
Running from: c:\users\Marc Lebesque\AppData\Local\Temp\Temp1_ComboFix.zip\ComboFix.exe
AV: Live Security Suite *On-access scanning disabled* (Updated) {245F4CD3-9DDA-4562-B8AA-3FABDF69AD79}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\driver
c:\program files\webserver
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\AutoRun.inf
c:\windows\system32\config\systemprofile\AppData\Local\0535049569854.xxe
c:\windows\system32\config\systemprofile\AppData\Local\0995154505553.xxe
c:\windows\system32\config\systemprofile\AppData\Local\KBDLemf.dll
c:\windows\system32\config\systemprofile\AppData\Local\rdr_1182429275.exe
c:\windows\system32\config\systemprofile\AppData\Local\rdr_1182432438.exe
c:\windows\system32\config\systemprofile\Desktop\spam001.exe
c:\windows\system32\config\systemprofile\Desktop\spam003.exe
c:\windows\system32\config\systemprofile\Desktop\troj000.exe
c:\windows\system32\df1a245s4_2360.exe
c:\windows\system32\msvcrt2.dll
c:\windows\system32\o.dat
Infected copy of c:\windows\system32\DRIVERS\RASACD.SYS was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DRIVERDRV
-------\Legacy_PDRV
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.
2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Mom\AppData\Local\temp
2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Brooke\AppData\Local\temp
2010-07-31 01:41 . 2010-07-31 01:41 -------- d-----w- c:\users\Arden\AppData\Local\temp
2010-07-31 01:40 . 2010-07-31 01:53 -------- d-----w- c:\users\Marc Lebesque\AppData\Local\temp
2010-07-31 01:40 . 2010-07-31 01:40 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 01:55 . 2008-12-21 14:21 -------- d-----w- c:\users\Marc Lebesque\AppData\Roaming\LimeWire
2010-07-31 01:54 . 2009-01-08 23:19 -------- d-----w- c:\users\Marc Lebesque\AppData\Roaming\DNA
2010-07-31 01:54 . 2007-06-17 17:20 -------- d-----w- c:\program files\DNA
2010-07-31 01:01 . 2009-12-09 18:59 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 15:21 . 2009-10-03 06:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-02 23:33 . 2010-05-02 23:33 262144 ----a-w- c:\programdata\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-02 39408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2007-06-17 323392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-01-31 630784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-31 4669440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-04-08 104408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-02 39408]
c:\users\Marc Lebesque\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\Marc Lebesque\AppData\Roaming\IMVUClient\IMVUClient.exe [2008-12-4 49408]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AVPath"="\\\\.\\root\\SecurityCenter:AntiVirusProduct.instanceGuid=\"{245F4CD3-9DDA-4562-B8AA-3FABDF69AD79}\""
R2 gupdate1c9adb578c67e50;Google Update Service (gupdate1c9adb578c67e50);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 133104]
R3 XDva219;XDva219;c:\windows\system32\XDva219.sys [x]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-04-08 632792]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 01:51]
2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 01:51]
2010-06-03 c:\windows\Tasks\Norton Security Scan for Arden.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-18 16:54]
2010-07-31 c:\windows\Tasks\User_Feed_Synchronization-{0A45ACF2-2097-4FF9-924B-D0B3729EA314}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-Win Antispyware Center - c:\program files\SystemDefender2010\Win Antispyware Center.exe
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\RtHDVCpl.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
.
Completion time: 2010-07-30 22:03:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 02:03
Pre-Run: 183,105,748,992 bytes free
Post-Run: 187,176,468,480 bytes free
- - End Of File - - D37BBB79CAFFB756F88BDE56A0E6D60B